Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson
Richard Gibson <rgibson@dyn.com> Wed, 26 July 2017 17:28 UTC
Return-Path: <rgibson@dyn.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75BF131D70 for <dnsop@ietfa.amsl.com>; Wed, 26 Jul 2017 10:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dyn.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lFyPP72VByI for <dnsop@ietfa.amsl.com>; Wed, 26 Jul 2017 10:28:43 -0700 (PDT)
Received: from mail-ua0-x245.google.com (mail-ua0-x245.google.com [IPv6:2607:f8b0:400c:c08::245]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63417131CA1 for <dnsop@ietf.org>; Wed, 26 Jul 2017 10:28:43 -0700 (PDT)
Received: by mail-ua0-x245.google.com with SMTP id h2so122710087uaf.5 for <dnsop@ietf.org>; Wed, 26 Jul 2017 10:28:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dyn.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=g5tIR88e7yqxTyuV7ML9H4PT/CBL3AQticCpsHvGLaw=; b=iNxV7XwPVA0FnLw8velTGLOkKUa7XaydrkkU0wO/BfaiIB6Xb52jCLKi0SxfrXJhCE AEewSgoSEsqqwdsNrWTRqCtabiZM3OR10LoAgPGd14sxYFNoQDlfQ4Isf03B5gnpOk0r SY8unZlnsf4uJ4DbXY0HrEST5e4oHkisHMcQQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=g5tIR88e7yqxTyuV7ML9H4PT/CBL3AQticCpsHvGLaw=; b=X9ciKIulogjxL208WzRixpBCB/OC1g9zKw7bd/Q/Mvyqgv+3GJ95D0KLW9GL+7P4+Z IUVB+R2V2qEIvaW4uYsIxBild/8C37Q5FWN2etQKqYpNNPEPZ4/XzUGTLlzGWFD9gb+p w4XtZa/qit7r/vqj4pgGZ3kehsAAjJXHvUSb63aHdNBNlULZx9xckapIV611zPNPbnuk nlFtiF6Bdwd8TRHroE+nuVq6nQDqjXn5uTFhMWOKFhfMkgqytTEnCWcF6ewJe4T9g9Vj WopC/u7XVX/CzH/OlxRsJHuc3AYNGrEog5u6CrJWxTzeb63xwMU5NSRYpIvzG8rLvn2T 8czQ==
X-Gm-Message-State: AIVw112F3fRN+xAhVNKr2TMjiAsptHrZDeZIjXr9hvGKYFRXeJlqf14d 2y5pQqWN/n7rxN1NID9qYKcmh8jldkBkVIYFBQ==
X-Received: by 10.31.63.151 with SMTP id m145mr950186vka.59.1501090122464; Wed, 26 Jul 2017 10:28:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.85.83 with HTTP; Wed, 26 Jul 2017 10:28:22 -0700 (PDT)
In-Reply-To: <083C34A2-92B9-4A9F-A331-9C38E22417C7@hopcount.ca>
References: <083C34A2-92B9-4A9F-A331-9C38E22417C7@hopcount.ca>
From: Richard Gibson <rgibson@dyn.com>
Date: Wed, 26 Jul 2017 13:28:22 -0400
Message-ID: <CAC94RYYYrb8AXFhwqW89jh79QvPOTtrK4esupL8YbFToUP3+Aw@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114dbdf68693a205553bc735"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dd9vLaMVXvdLisC7DqUuBHkwej0>
Subject: Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 17:28:47 -0000
On Tue, Jul 25, 2017 at 4:52 PM, Joe Abley <jabley@hopcount.ca> wrote: > > - There is no mechanism for signaling section 4.1/ section 4.3 > "partial > > response" behavior to clients (e.g., a new OPT record EDNS header flag > > bit > > <http://www.iana.org/assignments/dns-parameters/ > dns-parameters.xhtml#dns-parameters-13> > > ). > > Correct. I presume you are suggesting that there should be one. I have not > heard anybody else require such a thing, and new EDNS code points are > thought by at least some to be thorny things to pass undigested through > middleboxes so I think it's a non-trivial suggestion that would require a > proposal that itself would need thorough review. That feels out of scope > for this document, but perhaps something analogous to extended RCODEs in > the sense that it's channel metadata. > The need for such a signal also came up recently in https://tools.ietf.org/html/draft-wkumari-dnsop-multiple-responses-05#section-10 . But in this case particularly, middleboxes should be a complete non-issue... anyone expecting QTYPE=ANY passthrough is already asking for trouble. I think it would be uncontroversial to note explicitly that the mechanism > described in this document contains no such signalling, however. Let me > know if that seems like a pragmatic solution. > I remain concerned about issuing incomplete responses to ANY queries without indication of such, and predict that it will hinder operational problem investigation and remediation (especially pertaining to IPv4/IPv6 issues). My preference has not changed, but an explicit acknowledgment of the gap at least provides a reference for future improvement. > - "Conventional [ANY] response" is used but not defined. > > I am not sure why it's ambiguous without a definition. To me that phrase > seems pretty straightforward; if your core objection is that the DNS > standards are not written down with great accuracy, yeah. The only > definition I can think of really is something like "A response to a query > that had QTYPE=ANY which follows convention" which just seems longer, not > more clear. What did you have in mind? > How about updating document text to replace "conventional ANY queries" (section 3) and "conventional response" (section 4.1) with "conventional ANY response" and defining it in the Terminology section: In this document, "conventional ANY response" refers to an ANY Response that would be produced by the algorithm in section 4.3.2 of RFC 1034. Conventional ANY responses can include include records from an arbitrarily high number of RRSets, up to message truncation. Also, it therefore appears that this draft needs to be noted as updating RFC 1034. > - "ANY does not mean ALL" is misleading—RFC 1035 > > < > > https://tools.ietf.org/html/rfc1035#section-3.2.3> > > is clear about > > QTYPE=255 being "a request for *all* records" (emphasis mine). That > > said, the proposed *response* behavior is consistent with that RFC. > > All records that the server constructing the response knows about? > > All records that the server can fit into the response given the > constraints of the available transport? > > ALL THE RECORDS IN THE WHOLE WORLD! That was an obscure reference to > Blackadder the Second that probably pleases nobody but me. ("Kill Bob!" > "Never!") > > I think to that point we can implicitly acknowledge between ourselves that > less ambiguity would be nice, but that on the whole this text as-is at > worst does no harm, and at best helps illustrate the philosophy of the > approach being described. > > Let me know how much of that you can live with :-) > In light of the above, referencing RFC 1035 actually seems misleading... the relevant definitions come from RFC 1034, and this draft is consistent with it in acknowledging use of QTYPE=255 for *requesting* records of all types, but inconsistent with it in specifying *responses* that intentionally omit matching records. On Tue, Jul 25, 2017 at 4:53 PM, Joe Abley <jabley@hopcount.ca> wrote: > > 1. A DNS responder can choose to select one or subset of RRSets at > > the QNAME. > > > > 'one or subset of RRSets' sounds a bit awkward to me > > I agree. Perhaps "One or more of the RRSets at a QNAME". "... or a subset" > seems wrong, actually; since some vestigial fragment of a set theory > lecture in the depths of my pre-history is telling me that the empty set is > always a valid subset. Suggestion: "A DNS responder can choose to select one or more nonempty matching RRSets". This works because existence is guaranteed by the preceding text ("for names that exists that are used", probably better phrased as "for QNAMEs with at least one nonempty RRSet"). And it has the added benefit of correctly covering wildcard behavior. I also discovered some incidental issues while confirming the above: 1. The draft should standardize on one of "RRSet" (capital S, 17 current instances) or "RRset" (minuscule S, 7 current instances). 2. Section 4.1 appears to have some errors in grammar and use RFC 2119 terms, and should be reworded (removals in strikethrough, additions in *bold*): A DNS responder which receives an ANY query MAY decline to provide a conventional response, or MAY instead send a response with a single RRSet *one or more selected RRSets* in the answer section. The RRSet *or RRSets* returned in the answer section of the response MAY be a single RRSet *MUST be* owned by the name specified in the QNAME. Where multiple RRSets exist, the responder SHOULD choose a small one(s) *make selections that minimize response size* to reduce its amplification potential. If the zone is signed*, covering* RRSIG records MUST be included in the answer*.*
- [DNSOP] draft-ietf-dnsop-refuse-any: points from … Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Richard Gibson
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Richard Gibson
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Tony Finch